See the table below for the security patch for each supported version. MitigationĪll MOVEit Transfer versions are affected by this vulnerability.
YARA rules are a way of identifying malware (or other files) by creating rules that look for certain characteristics. Note: A Sigma rule is a generic and open YAML-based signature format that enables a security operations team to describe relevant log events in a flexible and standardized format. MoveIT-WebShellCheck a Python script by ZephrFish.
Several researchers have provided methods to make the hunt easy. The Cybersecurity and Infrastructure Agency (CISA) is urging users and organizations to review the MOVEit Transfer Advisory, follow the mitigation steps, apply the necessary updates, and hunt for any malicious activity. This allows the attacker to obtain a list of all folders, files, and users within MOVEit, download any file within MOVEit, and insert an administrative backdoor user into, giving attackers an active session to allow credential bypass The method used to compromise systems is to drop a webshell in the wwwroot folder of the MOVEit install directory. BleepingComputer says it has information that cybercriminals have been exploiting the zero-day in the MOVEit MFT software to perform massive data downloads from organizations. Several researchers have observed that this vulnerability is being exploited in the wild. To give you an idea of the possible impact, a Shodan search query for exposed MOVEit Transfer instances yielded over 2,500 results, most of which belong to US customers. Progress advertises MOVEit as the leading secure Managed File Transfer (MFT) software used by thousands of organizations around the world to provide complete visibility and control over file transfer activities. As such it has a large userbase in the healthcare industry and many others. MOVEit Transfer is a widely used file transfer software which encrypts files and uses secure File Transfer Protocols to transfer data. This means the vulnerability could lead to an attacker gaining escalated privileges and unauthorized access to the environment. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.“ The security bulletin states: “a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer's database. On May 31, 2023, Progress Software released a security bulletin about a critical vulnerability in MOVEit Transfer.
0 kommentar(er)
